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IN THE CLATM^ : 
Amended claims follow: 

1 . (Currently Amended) A computerized method to prevent identification of an 
operating system executing on a computer connected to a network comprising: 

intercepting a portion of outgoing network data characteristic of the operating 
system; and 

conditionally masking the portion of outgoing network data to impersonate a 
different operating system in accordance with a security policy if the network is an 
untrusted network; 

wherein masking the portion comprises: 

replacing the portion of outgoing network data with data characteristic of 
the different operating system to prevent identification of the operating system by 
impersonating the different operating system, for misleading attackers into 
attempting attacks that are unworkable on the operating system. 

2. (Original) The computerized method of claim 1 , wherein masking the portion 
comprises: 

discarding the portion of outgoing network data. 

3. (Cancelled) 

4. (Original) The computerized method of claim 1 , wherein the security policy 
identifies the portion of outgoing network data and specifies an action to take to mask the 
portion of outgoing network data. 

5. (Original) The computerized method of claim 1, wherein the security policy 
further specifies replacement data for the portion of outgoing network data, the 
replacement data characteristic of the different operating system. 
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6. (Original) The computerized method of claim 1 , wherein the security policy 
further defines the network as untrusted. 

7. (Original) The computerized method of claim 1 further comprising: 
receiving the security policy through the network. 

8. (Original) The computerized method of claim 1 further comprising: 
modifying the security policy based on user input 

9. (Original) The computerized method of claim 1 further comprising; 
transmitting the portion of outgoing network data unchanged if the network is a 

trusted network. 

10. (Original) The computerized method of claim 1 further comprising: 
intercepting a portion of incoming network data; and 

sending a false response to the portion of incoming network data to impersonate 
the different operating system in accordance with the security policy if the network is an 
untrusted network. 

1 1 . (Original) The computerized method of claim 1 0, wherein the security policy 
identifies the portion of incoming network data and the false response. 

12. (Original) The computerized method of claim 1 , wherein the method is integrated 
into a firewall that protects the computer. 

13. (Currently Amended) A computer-readable medium having executable 
instructions to [a ]cause a computer to perform a method comprising: 

intercepting a portion of outgoing network data characteristic of an operating 
system executing on the computer when the computer is connected to a network; and 

conditionally m asking the portion to impersonate a different operating system in 
accordance with a security policy if the network is an untrusted network; 
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wherein masking the portion comprises: 

replacing the portion with data characteristic of the different operating system t 
prevent identification of the operating system by impersonating the different operating 
system, for misleading attackers into attempting attacks that are unworkable on the 
operating system. 



14. (Original) The computer-readable medium of claim 13, wherein masking the 
portion comprises: 

discarding the portion. 

15. (Cancelled) 

16. (Original) The computer-readable medium of claim 13, wherein the security 
policy identifies the portion and specifies an action to take to mask the portion, 

17. (Original) The computer-readable medium of claim 13, wherein the security 
policy further specifies replacement data for the portion, the replacement data 
characteristic of the different operating system. 

18. (Original) The computer-readable medium of claim 13, wherein the security 
policy further defines the network as untrusted. 

19. (Original) The computer-readable medium of claim 13, wherein the method 
further comprises; 

receiving the security policy through the network. 

20. (Original) The computer-readable medium of claim 13, wherein the method 
further comprises: 

modifying the security policy based on user input. 
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21 - (Original) The computer-readable medium of claim 13, wherein the method 
further comprises: 

transmitting the portion unchanged if the network is a trusted network. 

22. (Original) The computer-readable medium of claim 13, wherein the method 
further comprises: 

intercepting a portion of incoming network data; and 

sending a false response to the portion of incoming network data to impersonate 
Hie different operating system in accordance with the security policy if the network is an 
untrusted network. 

23. (Original) The computer-readable medium of claim 22, wherein the security 
policy identifies the portion of incoming network data and the false response. 

24. (Original) The computer-readable medium of claim 13, wherein the instructions 
are operable for integration into a firewall. 

25. (Currently Amended) A computerized system comprising: 
a processing unit; 

a memory coupled to the processing unit through a bus; 

a network interface coupled to the processing unit through the bus and further 
operable for coupling to a network; 

an operating system executed from the memory by the processing unit; and 

a fingerprint masking process executed from the memory by the processing unit to 
cause the processing unit to intercept a portion of network data characteristic of the 
operating system when me network interface is coupled to the network, and to 
condjtionallX.mask the portion to impersonate a different operating system in accordance 
with a security policy if the network is an untrusted network; 

wherein the fingerprint masking process further causes the processing unit to 
mask the portion by replacing the portion with data characteristic of the different 
operating system to prevent identification of me operating system by impersonating the 
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different operating system, for misleading attackers into attempting attacks that are 
unworkable on the operating system. 

26. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to mask the portion by discarding the portion. 

27. (Cancelled) 

28. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to transmit the portion unchanged if the 
network is a trusted network. 

29. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to receive the security policy through the 
network interface. 

30. (Original) The computerized system of claim 25 further comprising a user input 
device coupled to the processing unit through the bus and wherein the fingerprint 
masking process further causes the processing unit to receive input through the user input 
device and to modify the security policy based on the input. 

31. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to intercept a portion of incoming network data 
when the network interface is coupled to the network, and to send a false response to the 
portion of incoming network data to impersonate the different operating system : 
accordance with the security policy if the network is an untrusted network. 



. m 



32. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process is integrated into a firewall process that is executed by the processing unit. 
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33. (Original) The computerized system of claim 25, wherein the computerized 
system is a firewall and the fingerprint masking process masks an operating system 
computer coupled to the firewall. 



34. (Previously Presented) A computer-readable medium having stored thereon an OS 
fingerprint policy data structure comprising: 

a data unit type field containing data representative of an identifier for a type of 
data unit, wherein information associated with me data unit is characteristic of an 
operating system; and 

an action field containing data representative of an action to be taken to mask the 
information associated with the data unit identified by the data unit type field; 

wherein masking the information comprises: 

replacing the information with information characteristic of a different operating 
system to prevent identification of the operating system by impersonating the different 
operating system, for misleading attackers into attempting attacks that are unworkable on 
the operating system. 



35. (Original) The computer-readable medium of claim 34 further comprising: 

a re-fingerprint field containing data representative of an identifier for a field typi 



within the data unit type identified by the data unit type field, and further containing 
fingerprint data that identifies replacement data for the field identified by the field typ 



e 

re- 
e. 



36. (Original) The computer-readable medium of claim 35, wherein the re-fingerprint 
data is selected from the group consisting of the replacement data and a location for the 
replacement data. 



37. (Original) The computer-readable medium of claim 34 further comprising: 

a re-fingerprint field containing data representative of an identifier for a field type 
within a false response to the data unit type identified by the data unit type field, and 
further containing re-fingerprint data that identifies false data for the field identified by 
the field type. 
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38. (Original) The computer-readable medium of claim 37, wherein the re-fingerprint 
data is selected from the group consisting of the false data and a location for the false 
data. 

39. (Original) The computer-readable medium of claim 34 further comprising: 

a network identifier field containing data representative of an identifier for a 
network that is untrusted when transmitting the type of data unit identified by the data 
unit type field. 

40. (Previously Presented) The computerized method of claim 1, wherein the security 
policy contains data on a plurality of different operating systems for allowing the portion 
of outgoing network data to impersonate any one of the plurality of different operating 
systems. 

41. (Previously Presented) The computerized method of claim 40, wherein each of the 
different operating systems included in the plurality of different operating systems is 
assigned a specific untrusted network for masking the portion of outgoing data according 
to the untrusted network. 

42. (Previously Presented) The computerized method of claim 10, wherein the false 
response is sent if the operating system would normally not respond to the mcoming 
network data. 

43. (Previously Presented) The computerized method of claim 4, wherein the action 
includes discarding the portion of outgoing network data. 
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